Share

Apple has released Java for OS X 2012-001 and Java for Mac OS X 10.6 Update 7, featuring a dozen security fixes, including one that has been used a recent variant of the Flashback malware, CVE-2012-0507. As the information about this update that Apple provides says,

Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user.

This is exactly what happens with the recent variant of the Flashback malware that we discussed yesterday.

It's worth noting that Java is no longer provided with Mac OS X 10.7 Lion, but the first time a user needs to run it - when a Java applet loads, or when a user launches a Java applet on their Mac - the system will ask if the user wants to download it. If so, Apple provides the download directly. Apple also maintains their own version of Java. The new version of Java is 1.6.0_31.

Java is quickly becoming a new vector of attack for malware, and the Flashback malware has notably used Java in several different ways, taking advantage of known or unpatched vulnerabilities to get through a Mac's defenses. Java applets are not affected by Mac OS X's quarantine system. This means that Mac users do not get a warning dialog when Java applets are downloaded as objects in a web page. This also gets around Apple's Xprotect malware scanning system, which does not scan objects in web pages.

If you have Java on your Mac, this 66.6 MB update will be available via Software Update. If not, your Mac will offer to download it the first time it is needed.

So, if I have Intego installed and kept current, could my mac have gotten infected? If it has, and I install the Apple security update, will the Flashback malware be disabled?

http://www.intego.com Intego

No. Not only will VirusBarrier X6 detect this malware, but its mere presence will prevent this malware from installing. It checks for the presence of a number of security programs, and cancels the installation if any of them are on the computer, in order to avoid being detected either during installation or later.